Bug#448519: marked as done (libdspam7-drv-mysql: CVE-2007-6418 cron job may disclose dspam database password to users)

Sat, 26 Jan 2008 07:11:19 -0800 

Your message dated Sat, 26 Jan 2008 14:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#448519: fixed in dspam 3.6.8-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libdspam7-drv-mysql
Version: 3.6.8-5
Severity: grave
Tags: security
Justification: user security hole

The cron job in /etc/cron.daily/libdspam7-drv-mysql calls mysql like
this:

   /usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS

This makes the database password of the dspam database user visible in
the command line, so users may see it using ps. A malicious local user
can use this to connect to the dspam databse and read all recent mail of
dspam users. This bug is easily fixed my using a config file or
environment variable to pass the password to mysql.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libdspam7-drv-mysql depends on:
ii  dbconfig-common        1.8.29+etch1      common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.11            Debian configuration management sy
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libdspam7              3.6.8-5           DSPAM is a scalable and statistica
ii  libldap2               2.1.30-13.3       OpenLDAP libraries
ii  libmysqlclient15off    5.0.32-7etch1     mysql database client library
ii  mysql-client-5.0 [mysq 5.0.32-7etch1     mysql database client binaries
ii  ucf                    2.0020            Update Configuration File: preserv
ii  zlib1g                 1:1.2.3-13        compression library - runtime

Versions of packages libdspam7-drv-mysql recommends:
ii  mysql-server-5.0 [mysql-se 5.0.32-7etch1 mysql database server binaries

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: dspam
Source-Version: 3.6.8-6

We believe that the bug you reported is fixed in the latest version of
dspam, which is due to be installed in the Debian FTP archive:

dspam-doc_3.6.8-6_all.deb
  to pool/main/d/dspam/dspam-doc_3.6.8-6_all.deb
dspam-webfrontend_3.6.8-6_all.deb
  to pool/main/d/dspam/dspam-webfrontend_3.6.8-6_all.deb
dspam_3.6.8-6.diff.gz
  to pool/main/d/dspam/dspam_3.6.8-6.diff.gz
dspam_3.6.8-6.dsc
  to pool/main/d/dspam/dspam_3.6.8-6.dsc
dspam_3.6.8-6_i386.deb
  to pool/main/d/dspam/dspam_3.6.8-6_i386.deb
libdspam7-dev_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-dev_3.6.8-6_i386.deb
libdspam7-drv-db4_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-db4_3.6.8-6_i386.deb
libdspam7-drv-mysql_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-mysql_3.6.8-6_i386.deb
libdspam7-drv-pgsql_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-pgsql_3.6.8-6_i386.deb
libdspam7-drv-sqlite3_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-6_i386.deb
libdspam7_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7_3.6.8-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian DSPAM Maintainers <[EMAIL PROTECTED]> (supplier of updated dspam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 26 Jan 2008 13:03:18 +0100
Source: dspam
Binary: dspam dspam-webfrontend libdspam7 libdspam7-dev libdspam7-drv-pgsql 
libdspam7-drv-mysql libdspam7-drv-db4 libdspam7-drv-sqlite3 dspam-doc
Architecture: source i386 all
Version: 3.6.8-6
Distribution: unstable
Urgency: low
Maintainer: [EMAIL PROTECTED]
Changed-By: Debian DSPAM Maintainers <[EMAIL PROTECTED]>
Description: 
 dspam      - is a scalable, fast and statistical anti-spam filter
 dspam-doc  - Documentation for dspam
 dspam-webfrontend - DSPAM is a scalable and statistical anti-spam filter
 libdspam7  - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-dev - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-db4 - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-mysql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-pgsql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-sqlite3 - DSPAM is a scalable and statistical anti-spam filter
Closes: 385353 419312 421944 429967 448519 449530 461133 461134 461135 461137
Changes: 
 dspam (3.6.8-6) unstable; urgency=low
 .
   [Kurt B. Kaiser]
   * Acknowledge NMU. Thanks Adrian Friedli.  (Closes: #448519)
   * dspamc should be setgid. (Closes: #449530, Closes: #461133)
   * Daemon crashes sometimes, can't determine user. (Closes: #385353)
   * Don't ignore make clean error in rules. (Closes: #461134)
   * Move to Standards Version 3.7.3.
   * libdspam7-dev should be Section: libdevel.
   * Switch from ${Source-Version} to ${binary:Version} in control file.
   * Remove postgresql-dev, no longer in archive. (Closes: #429967)
   * Add XS-DM-Upload-Allowed field to control file.
   * Eliminate a bashism from libdspam7-drv-mysql.cron.daily (Closes: #461137)
   * dspam-init: create directory for PIDFILE, if it does not exist.
     (Closes: #461135)
   * Eliminate postgresql-client-8.1 dependency. (Closes: #419312)
   * Move from db4.2 to db4.5 build dependency. (Closes: #421944)
   * dspam-init: Remove 'S' from Default-Stop (Lintian).
   * Remove unused dirs from libdspam7-drv-db4, libdspam7-dev,
     and dspam-webfrontend (Lintian).
 .
   [ Matthijs Mohlmann ]
   * Fix lintian warnings.
   * Fix manpages which had a missing NAME section.
   * Remove overrides for mysql and pgsql, not needed anymore.
Files: 
 dc559754f3ed24402f65bba6d022ec50 1127 mail optional dspam_3.6.8-6.dsc
 dc0190bc6c582b157ce2da1e0e9e4b22 54293 mail optional dspam_3.6.8-6.diff.gz
 4acd16f6fa5d798f9daf472d5fac67be 316792 mail optional dspam_3.6.8-6_i386.deb
 fae2459b30ae9103f968400c7f1bc69f 109734 libs optional 
libdspam7_3.6.8-6_i386.deb
 374fe0632404dce1a7b011c4b37a7611 123302 libdevel optional 
libdspam7-dev_3.6.8-6_i386.deb
 0435d13b4534205313158259a5aac746 103884 mail optional 
libdspam7-drv-pgsql_3.6.8-6_i386.deb
 196a0e3cecafd655fcbd70e6cd735c92 96676 mail optional 
libdspam7-drv-mysql_3.6.8-6_i386.deb
 3dee46e3b6bec14231cf8a3789b8aa87 71568 mail optional 
libdspam7-drv-db4_3.6.8-6_i386.deb
 3380261015cf2a9e59013e6151dacaaf 85140 mail optional 
libdspam7-drv-sqlite3_3.6.8-6_i386.deb
 0052ead23f56a10b860dc8b8d83692b0 108598 mail optional 
dspam-webfrontend_3.6.8-6_all.deb
 0d360378480f18403e2d7ffffcb54782 94216 doc optional dspam-doc_3.6.8-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHm0Xx2n1ROIkXqbARAt5NAJ9LCSU43COJlZt6kk2jsesfYodBEgCgqdxF
zSQLE2TQgGbsMmwBprCyIRs=
=vc70
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to